Attack on NS1 sends 50 million to 60 million lookup packets per second.

Share this story

Unknown attackers have been directing an ever-changing army of bots in a distributed denial of service (DDoS) attack against NS1, a major DNS and traffic management provider, for over a week. While the company has essentially shunted off much of the attack traffic, NS1 experienced some interruptions in service early last week. And the attackers have also gone after partners of NS1, interrupting service to the company's website and other services not tied to the DNS and traffic-management platform. While it's clear that the attack is targeting NS1 in particular and not one of the company's customers, there's no indication of who is behind the attacks or why they are being carried out.

NS1 CEO Kris Beevers told Ars that the attacks were yet another escalation of a trend that has been plaguing DNS and content delivery network providers since February of this year. "This varies from the painful-but-boring DDoS attacks we've seen," he said in a phone interview. "We'd seen reflection attacks [also known as DNS amplification attacks] increasing in volumes, as had a few content delivery networks we've talked to, some of whom are our customers."

In February and March, Beevers said, "we saw an alarming rise in the scale and frequency of these attacks—the norm was to get them in the sub-10 gigabit-per-second range, but we started to see five to six per week in the 20 gigabit range. We also started to see in our network—and other friends in the CDN space saw as well—a lot of probing activity," attacks testing for weak spots in NS1's infrastructure in different regions.

But the new attacks have been entirely different. The sources of the attacks shifted over the week, cycling between bots (likely running on compromised systems) in eastern Europe, Russia, China, and the United States. And the volume of the attacks increased to the 30Gbps to 50Gbps range. While the attacks rank in the "medium" range in total volume, and are not nearly as large as previous huge amplification attacks, they were tailored specifically to degrading the response of NS1's DNS structure.

Rather than dumping raw data on NS1's servers with amplification attacks—where an attacker sends spoofed DNS requests to open DNS servers that will result in large blocks of data being sent in the direction of the target—the attackers sent programmatically generated DNS lookup requests to NS1's name servers, sometimes at rates of 50 million to 60 million packets per second. The packets looked superficially like genuine requests, but they were for resolution of host names that don't actually exist on NS1's customers' networks.

NS1 has shunted off most of the attack traffic by performing upstream filtering of the traffic, using behavior-based rules that differentiate the attacker's requests from actual DNS lookups. Beevers wouldn't go into detail about how that was being done out of concern that the attackers would adapt their methods to overcome the filtering.

But the attacks have also revealed a problem for customers of the major infrastructure providers in the DNS-based traffic management space. While the DNS specification has largely gone unchanged since it was created from a client perspective, NS1 and other providers have carried out a lot of proprietary modification of how DNS works behind the scenes, making it more difficult to use multiple DNS providers for redundancy. "We've moved a bit away from the interoperable nature of DNS," Beevers said. "You can't slave one DNS service to another anymore. You're not seeing DNS zone transfers, because features and functionality of the [DNS provider] networks have diverged so much that you can't transfer that over the zone transfer mechanism."

To overcome that issue, Beevers said, "people are pulling tools in-house to translate configurations from one provider to another—that did work very well for some of our customers [in shifting DNS during the attack]." NS1, like some of its competitors, also provides a service that allows customers to run the company's DNS technology on dedicated networks. "so if our network gets hit by a big DDoS attack, they can still have access."

Fixing the interoperability problem will become more urgent as attacks like the most recent one become more commonplace. But Beevers said that it's not likely that the problem will be solved by a common specification for moving DNS management data. "DNS has not evolved since the '80s, because there's a spec," he said. "But I do believe there's room for collaboration. DNS is done by mostly four or five companies— this is one of those cases where we have a real opportunity because community is small enough and because the traffic management that everyone uses needs a level of interoperability."

As companies with big online presences push for better ways to build multi-vendor and multi-network DNS systems to protect themselves from outages caused by these kinds of attacks, he said, the DNS and content delivery network community is going to have to respond.

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat